feat(ci): item-2 cross-surface contract parity (stdlib-only package)

internal/ciparity/ — new stdlib-only package with four tests:

1. TestSurfaceParity_MCPToolCatalogue (HARD GATE):
   - Every MCP tool name conforms to certctl_<word>(_<word>)*
   - No duplicate names across the five tools*.go files
   - Total tools ≥ mcpBaselineFloor (150; current count 155)
   Catches accidental tool deletions + naming-convention drift.

2. TestSurfaceParity_CLICommandCatalogue (INFORMATIONAL):
   Walks cmd/cli/main.go's switch-case dispatcher. Logs the 31
   distinct verbs. Per frozen decision 0.9, warn-only until the CLI
   surface stabilizes.

3. TestSurfaceParity_OpenAPI_MCPHeuristicCoverage (INFORMATIONAL):
   Reports the fraction of OpenAPI ops whose path tokens overlap
   with MCP tool name tokens. Trend metric; current coverage 92%.

4. TestSurfaceParity_Summary (INFORMATIONAL):
   One-glance count of router routes / OpenAPI ops / MCP tools / CLI
   verbs. Easy eyeball for a PR reviewer.

Verified in sandbox:
  - gofmt clean
  - go vet clean
  - go test -short -count=1: all four PASS in 0.017s

Stdlib-only by design — the tests read source files with os.ReadFile +
regexp + go/ast. Keeps the test runnable without pulling in the rest
of the codebase's transitive deps; fast self-contained signal.

Router ↔ OpenAPI parity (TestRouter_OpenAPIParity) stays in
internal/api/router/openapi_parity_test.go where it already lives.
This bundle does not duplicate it.

Allowlist scaffold at scripts/ci-guards/surface-parity-mcp-exemptions.yaml
for the day TestSurfaceParity_OpenAPI_MCP* is promoted from
informational to hard gate.

Audit-Closes: post-v2.1.0-anti-rot/item-2

scripts/ci-guards/surface-parity-mcp-exemptions.yaml

@@ -0,0 +1,34 @@
+# scripts/ci-guards/surface-parity-mcp-exemptions.yaml
+#
+# Allowlist for OpenAPI operations that are intentionally NOT mirrored
+# in the MCP tool catalogue. Consumed by
+# internal/api/router/surface_parity_test.go::TestSurfaceParity_*.
+#
+# The current MCP parity tests are informational (per frozen decision
+# 0.9). This file exists so when those tests are promoted to hard
+# gates, the carve-outs are already documented and the promotion is
+# mechanical.
+#
+# Each entry shape:
+#
+#   - operation: "METHOD /api/v1/path"
+#     justification: "one-line reason this is legitimately HTTP-only"
+#     expires: "YYYY-MM-DD"        # required; 90-day default
+#
+# Categories of legitimate carve-outs (DO add these when the test is
+# promoted to fail-on-miss):
+#
+#   - ACME wire protocol (RFC 8555 + RFC 9773 ARI)
+#   - SCEP wire protocol (RFC 8894)
+#   - EST wire protocol (RFC 7030)
+#   - OCSP responder
+#   - CRL distribution
+#   - Healthcheck / readiness / version endpoints
+#   - OIDC callback / back-channel-logout
+#   - SPA fallback for the embedded web UI
+#
+# DO NOT add entries here to silence the test on an oversight. If an
+# operation should have an MCP tool and doesn't, that's the bug — add
+# the tool.
+
+exceptions: []